CVE-2013-4545 — Curl vulnerability

CWE-31011 documents8 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 42.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Haxx Libcurl

Timeline

PublishedNov 23

Latest updateMay 17

Description

cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶NVDhaxx/libcurl34 versions+33

▶Debianhaxx/curl< 7.33.0-1+3

▶NVDhaxx/curl34 versions+33

🔴Vulnerability Details

GHSA

GHSA-94rh-gwj6-33j3: cURL and libcurl 7↗2022-05-17

▶

CVEList

CVE-2013-4545: cURL and libcurl 7↗2013-11-23

▶

OSV

CVE-2013-4545: cURL and libcurl 7↗2013-11-23

▶

📋Vendor Advisories

Ubuntu

curl vulnerability↗2013-12-05

▶

Red Hat

curl: TLS/SSL certificate name check disabled with peer verification↗2013-11-15

▶

Debian

CVE-2013-4545: curl - cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the ce...↗2013

▶

💬Community

Bugzilla

CVE-2013-6422 curl: TLS/SSL certificate name check disabled with peer verification when using GnuTLS↗2013-12-04

▶

Bugzilla

CVE-2013-4545 mingw-curl: curl: TLS/SSL certificate name check disabled with peer verification [fedora-all]↗2013-11-17

▶

Bugzilla

CVE-2013-4545 mingw32-curl: curl: TLS/SSL certificate name check disabled with peer verification [epel-5]↗2013-11-17

▶

Bugzilla

CVE-2013-4545 curl: TLS/SSL certificate name check disabled with peer verification↗2013-11-11

▶